The banking and financial services and insurance (BFSI) sector stands at the forefront of digital transformation, leveraging web applications and APIs to offer seamless services to customers across the globe. This digital revolution has opened doors to unprecedented opportunities, enabling financial institutions to transcend geographical boundaries and temporal constraints.

According to the BCA report, the Asia-Pacific digital banking platform market is expected to reach US$ 2,423.8 Mn by 2027, reflecting a compound annual growth rate (CAGR) of 14.4% between 2018 and 2027, says the Business Market Insights. This growth is primarily driven by the rising digitalization in the BFSI sector and the growing demand for mobile banking solutions. As an example, BCA (Bank Central Asia), Indonesia’s largest bank by market capitalization, and one of the largest in Southeast Asia, says that the customers’ banking via mobile has tripled in the past four years, and mobile is now the most popular way of banking with BCA, accounting for nearly 42 million transactions per day.

However, with great opportunities come significant challenges, especially in the realm of cybersecurity. As the attack surface expands in the BFSI sector, safeguarding IT infrastructures through web application security has become paramount. BFSI entities need to employ strategies that can detect and counteract evolving cyber threats while addressing the risks and vulnerabilities that make the industry a prime target for cybercriminals.

Overall BFSI risks

The BFSI sector’s rapid digitalization has ushered in a new era of convenience and accessibility for customers. However, it has also attracted the attention of cybercriminals who seek to exploit vulnerabilities within web applications and APIs. These attacks underscore the importance of proactive cybersecurity measures in an era where traditional security measures often fall short. With automation and AI, attackers are retooling faster than ever.

Financial institutions have always been prime targets for cybercriminals due to the lucrative nature of the industry. The sector deals with vast amounts of sensitive financial data, making it an attractive target for those seeking financial gain. Cybercriminals aim to steal this data for fraudulent purposes. The interconnected nature of BFSI systems and the reliance on third-party services also contributes to a complex ecosystem that cybercriminals can exploit. Weak links in this chain can be targeted to gain access to more significant assets, and according to Verizon’s Data Breach Investigation Report (DBIR), web applications have been the most common entry point for data breaches for several years running. In addition, the BFSI sector faces stringent regulatory compliance requirements, which, if not met, can lead to legal consequences. Cybercriminals may attempt to exploit compliance weaknesses.

Today’s BFSI threat landscape

BFSI companies face a myriad of threats targeting their applications and APIs. Firstly, Distributed Denial of Service (DDoS) attacks pose a significant threat, as they can disrupt online services, leading to financial losses and damage to the institution’s reputation. DDoS attacks are becoming easier for attackers to initiate, with DDoS-for-hire services and increased use of virtual compute services of cloud providers to launch high-intensity attacks that are easy to spin up (with attackers often using stolen credit card information to pay for such services).

Additionally, the proliferation of unsecured APIs in the BFSI sector can expose sensitive customer data to theft and manipulation, potentially leading to severe regulatory penalties and loss of trust. In fact, Gartner predicts that by 2025, 50 percent of data theft will be due to unsecured APIs. Lastly, the rise of malicious bots has led to an increase in credential stuffing and automated fraud attempts, presenting an ongoing challenge for the industry as they evolve in sophistication and capability. With bots making up more than 50 percent of all internet traffic today, it’s important to be aware that malicious bots are constantly scanning BFSI applications and APIs looking for security misconfigurations and vulnerabilities.

Securing BFSI web applications and infrastructure

To lower the risk of attacks on BFSI applications and infrastructure, enterprises should strongly consider implementing the following people, process, and technology best practices:

  1. Advanced threat detection: Advanced threat detection mechanisms can identify abnormal patterns of behavior within web applications. Machine learning and AI-driven solutions can help BFSI entities stay one step ahead of cybercriminals.
  2. Security assessments: Regular security assessments and penetration testing are essential to identify vulnerabilities within web applications. A proactive approach to testing and patching vulnerabilities to prevent exploitation is required.
  3. Secure coding practices: Ensuring that web applications are developed with secure coding practices in mind is crucial. This approach involves input validation, output encoding, and parameterized queries to prevent common vulnerabilities like SQL injection and cross-site scripting (XSS).
  4. Encryption: The significance of encryption in securing data both in transit and at rest cannot be more important. The use of secure protocols like HTTPS and SSL/TLS can prevent data breaches.
  5. Access control: Strong authentication mechanisms, such as two-factor authentication, help prevent unauthorized access to sensitive data.
  6. API security: APIs are the lifeblood of modern BFSI applications so discovering and securing API endpoints against malicious requests is a critical threat plane not to be overlooked.
  7. DDoS protection: The high availability and performance requirements of BFSI applications require scalable protection against DDoS attacks, which are increasing in complexity and size each year.
  8. Bot management: Bot Management solutions help separate benign bots (e.g., search engine bots) from malicious bots (e.g., those attempting Account Takeover attacks), better protecting BFSI customers and greatly reducing unwanted traffic on critical applications and APIs.

Choosing a holistic Web Application and API Protection (WAAP) solution can provide protection against many of the most common and critical threats BFSI institutions face today, including advanced threats, API abuse, DDoS attacks, and malicious bot traffic.  While helping to fulfill multiple compliance requirements (including PCI DSS 6.6 and others), a unified WAAP can replace multiple security point solutions, helping enterprises lower costs, simplify security, and strengthen their overall security posture.


As the BFSI sector continues its digital transformation journey, safeguarding customer and business data through robust web application security is not an option but a necessity. In a world where cyber threats are constantly evolving, BFSI organizations must adopt proactive cybersecurity measures, including the people, process, and technology recommendations mentioned above. By doing so, they can better protect their customers’ financial data, maintain regulatory compliance, and bolster their resilience against cyber threats. As financial institutions embrace digital innovation, partnering with cybersecurity experts can be a tremendous help in navigating the wide landscape of web application security.

Laurent Perche is the Digital & Security Strategist, based in the APAC region at Edgio, Inc. (Nasdaq: EGIO).

Laurent is a highly experienced Digital and Security Strategist based in the APAC region, with over 20 years of experience in the industry. Laurent is responsible for working with clients to develop and implement customized solutions that address their unique digital and security challenges and goals.

He has a deep understanding of the digital landscape and is passionate about helping businesses leverage technology to achieve their goals. Throughout his career, Laurent has held diverse roles and has worked with clients across a broad range of industries. He is known for his innovative thinking and
his ability to develop and implement effective digital and security strategies that drive business growth. Laurent is committed to staying at the forefront of the latest trends and technologies in the industry and constantly seeking new ways to help his clients stay ahead of the curve.

TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.